Microsoft has released MS15-093, an out-of-band update for all supported versions of Windows. This bulletin fixes a vulnerability in Internet Explorer (designated as CVE-2015-2502) that allowed an attacker to run arbitrary code on a user’s system if they visited a malicious site. A compromised site, spear phishing, and/or malicious ads could all be used to deliver exploits targeting this vulnerability to the user. This threat is already in use in limited, targeted watering hole attacks in the wild.
This particular vulnerability is a memory corruption vulnerability, which has historically proven to be a common problem for Internet Explorer. While this vulnerability has been rated as Critical by Microsoft and no mitigations/workarounds were identified in the post, there are several factors that help lessen the risk to users.
First, any code is run with the privileges of the logged-in user; therefore users who run as an ordinary user and not as an administrator are at lesser risk. Secondly, users of the new Microsoft Edge browser in Windows 10 are also not at risk. In addition, because Internet Explorer in server versions of Windows (Server 2008, Server 2008 R2, Server 2012, or Server 2012 R2) runs in a restricted mode that reduces the risk for these OSes.
Trend Micro Deep Security and Vulnerability Protection users are already protected from this threat; the following rule that was released as part of the regular Patch Tuesday set of rules also covers this vulnerability:
- 1006957 – Microsoft Internet Explorer Arbitrary Remote Code Execution Vulnerability
We urge all affected users to immediately use Windows Update to download and install this update. Users who wish to download this update manually should note that this bulletin is not a cumulative update for Internet Explorer. As a result, the August cumulative update should be installed before this new patch is installed.